b'OFFICE OF INSPECTOR GENERAL \n\n\n\nAUDIT OF USAID\'S FISCAL\nYEAR 2013 COMPLIANCE WITH\nTHE FEDERAL INFORMATION\nSECURITY MANAGEMENT ACT\nOF 2002\nAUDIT REPORT NO. A-000-14-001-P\nOctober 15, 2013\n\n\n\nWASHINGTON, DC\n\x0cThis is a summary of our report on the "Audit of USAID\'s Fiscal Year 2013 Compliance with the\nFederal Information Security Management Act of 2002." The Federal Information Security\nManagement Act of 2002 (FISMA) requires agencies to develop, document, and implement an\nagency-wide information security program to protect their information and information systems,\nincluding those provided or managed by another agency, contractor, or other source. The act\nalso requires agencies to have an annual assessment of their information systems.\n\nThe Office of Inspector General (OIG) contracted with the independent certified public\naccounting firm of Cotton & Company LLP to conduct the audit. Cotton was required to conduct\nthe audit in accordance with U.S. Government auditing standards. The objective was to\ndetermine whether USAID implemented selected minimum security controls for selected\ninformation systems to reduce the risk of data tampering, unauthorized access to and disclosure\nof sensitive information, and disruptions to USAID\'s operations.\n\nThe audit found that USAID had not established an effective risk management program to\nensure that policies and procedures were assessed and working as intended. In addition,\nCotton reported that USAID\'s decentralized management of information technology and\ninformation security did not allow it to implement a process to effectively assess, respond to,\nand monitor information security risks throughout the Agency. Consequently, the audit\nconcluded that USAID was not in substantial compliance with FISMA.\n\nBased on Cotton\'s report, OIG made 29 recommendations to help USAID strengthen its\ninformation security program. Management decisions were made on all 29 recommendations,\nand final action was taken on 2 of them. However, OIG did not agree with 5 management\ndecisions and encouraged USAID to revise them to fully address the weaknesses identified in\nCotton\'s audit report.\n\x0cu.s. Agency for International Development \n\n       Office of Inspector General \n\n       1300 Pennsylvania Ave, NW \n\n         Washington, D.C. 20523 \n\n            Tel: (202) 712-1150 \n\n           Fax: (202) 216-3047 \n\n           http://oig.usaid.gov \n\n\x0c'